parallel-monitor

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The presence of a direct install script (https://parallel.ai/install.sh) is potentially dangerous to run without verifying the publisher and inspecting the script (it matches a high-risk pattern: direct .sh download for execution), while https://example.com/hook is merely a placeholder webhook URL and not an executable; overall treat this set as moderately suspicious until the install.sh is validated.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly creates long-running monitors that "re-check the web on a cadence" for arbitrary queries (e.g., competitor pages, public websites) and instructs the agent to summarize events and "cite source URLs from the event payload," meaning it ingests and acts on untrusted, public third-party web content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Setup explicitly directs running "curl -fsSL https://parallel.ai/install.sh | bash", which fetches and directly executes remote code and is presented as the installer for the required runtime dependency (parallel-cli), so it is a high-risk external dependency.